Step 1 of 15 6% A- Company Information1- Vendor Name(Required)2- Primary Contact(Required) First Last 3- Title/Position4- Who is the primary official responsible for the information security process and management in your organization?(Required) First Last 5- Title/Position6- Email(Required) 7- Phone(Required)8- Company Address9- Company Website(Required) 10- Number of Employees11- Years in Operation12- Are the Information Security functions clearly defined, staffed, and communicated to stakeholders? Yes No N/A Other B- Personal Data Processing13- Do you delete Personal Data from your systems according to clients' instructions? Yes No N/A Other 14- If you rely on third-party entities for service provision, are Data Processing Agreements in place? Yes No N/A Other 15- Are your employees trained on Data Protection requirements and bound by confidentiality obligations? Yes No N/A Other 16- Are you compliant with the Australian Privacy Act? Yes No N/A Other C. Risk Management17- Do you have Cybersecurity Insurance? Yes No N/A Other 18- Are information risk assessments conducted regularly using a structured methodology? Yes No N/A Other 19- Has an information risk assessment methodology been adopted? (Detail the activities covered) Yes No N/A Other D. Asset Management & Data Handling20- Are all assets identified, inventoried, and managed according to their criticality? Yes No N/A Other 21- Is a Data Disposal procedure implemented in line with the Retention Policy? Yes No N/A Other 22- Is any of our data (Diversity Atlas or Cultural Infusion) saved locally on machines or on the cloud? If on the cloud, which data center? Yes No N/A Other 23- If we cancel our contract, can you ensure all our data is completely wiped from your servers/systems? Yes No N/A Other 24- Is there a comprehensive security awareness program in place for all individuals accessing the organization's information and systems? Yes No N/A Other 25- Do you use encryption both in transit and at rest? Yes No N/A Other 26- Does Diversity Atlas's data ever leave Australia? Yes No N/A Other E. Supplier & Third-party Management27- Is information risk managed with external suppliers by embedding security requirements in contracts? Yes No N/A Other F. Independent Reviews & Audits28- When was your latest external audit? Can you share the Certificates?Month123456789101112Day12345678910111213141516171819202122232425262728293031Year2025202420232022202120202019201820172016201520142013201220112010200920082007200620052004200320022001200019991998199719961995199419931992199119901989198819871986198519841983198219811980197919781977197619751974197319721971197019691968196719661965196419631962196119601959195819571956195519541953195219511950194919481947194619451944194319421941194019391938193719361935193419331932193119301929192819271926192519241923192219211920Attachment Drop files here or Select files Accepted file types: pdf, jpg, Max. file size: 64 MB, Max. files: 2. Please upload the results, certifications and other evidences related to your latest external audit.When was your latest external audit? Can you share the Certificates Comment29- Are independent reviews performed at least annually to ensure compliance with policies and regulations? Yes No N/A Other 30- Is information risk Do you permit your clients to perform checks and audits on request?with external suppliers by embedding security requirements in contracts? Yes No N/A Other 31- Do you have external certifications on information security available? (e.g., ISO27001, SOC 1/2/3) Yes No N/A Other Attachment Drop files here or Select files Accepted file types: jpg, pdf, Max. file size: 2 MB, Max. files: 3. please upload your documents related to external certifications on information security available.32- When was your most recent Penetration Testing and Vulnerability Assessment carried out? Can you share the results?Month123456789101112Day12345678910111213141516171819202122232425262728293031Year2025202420232022202120202019201820172016201520142013201220112010200920082007200620052004200320022001200019991998199719961995199419931992199119901989198819871986198519841983198219811980197919781977197619751974197319721971197019691968196719661965196419631962196119601959195819571956195519541953195219511950194919481947194619451944194319421941194019391938193719361935193419331932193119301929192819271926192519241923192219211920Attachment Drop files here or Select files Accepted file types: jpg, pdf, Max. file size: 2 MB, Max. files: 3. please upload and share the results related to your most recent Penetration Testing and Vulnerability Assessment carried out.When was your most recent Penetration Testing and Vulnerability Assessment carried out? Can you share the results Comment33- When was your most recent Penetration Testing and Vulnerability Assessment carried out? Can you share the results? Yes No N/A Other G. Secure Development & Implementation34- Is the Security by Design principle implemented? Yes No N/A Other 35- Does the secure development lifecycle include security testing before software is released for production use? Yes No N/A Other H. Access Control & Authentication36- Is access to applications, systems, and networks restricted to authenticated and authorized users? Yes No N/A Other 37- Are passwords managed according to an enforced Password Policy? Yes No N/A Other 38- Is two-factor authentication used for sensitive data, critical applications, and privileged access? Yes No N/A Other I. Information Classification & Handling39- Has an information classification scheme been established? Yes No N/A Other 40- Are guidelines in place for information handling to protect against unauthorized disclosure? Yes No N/A Other 41- Are Information security policies and procedures developed using a governance model with defined roles and accountability? Yes No N/A Other J. Network & Systems Security42- Are systems and networks configured and segregated to prevent cyber-attacks propagation? Yes No N/A Other 43- Are communication systems protected with security settings, policies, and infrastructure hardening? Yes No N/A Other K. Physical Security44- Are physical security controls implemented based on risk assessment? Yes No N/A Other 45- Are servers and devices stored in areas with controlled access? Yes No N/A Other L. Security Monitoring & Logging46- Are logs maintained, recording key activities and security events? Yes No N/A Other 47- Are security monitoring activities in place to respond to threats and support incident investigations? Yes No N/A Other M. Incident Management & Data Breach Notification48- Is there a framework for information security incident management? Yes No N/A Other 49- Are there criteria for notifying customers of incidents or data breaches affecting their data? Yes No N/A Other N. Business Continuity50- Are business continuity plans in place and tested for critical business processes and applications? Yes No N/A Other O. Data Backup & Recovery51- Are backups secured for recovery purposes? Yes No N/A Other 52- Are periodic tests of the backup procedure conducted for recovery effectiveness? Yes No N/A Other 53- For backups, is the data encrypted? Yes No N/A Other 54- In your backup system, is our data kept separate from other clients, or is it a multi-tenant architecture? Yes No N/A Other CommentsThis field is for validation purposes and should be left unchanged.